Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can splunk be 100% CIM Compliance?

ujuka
New Member
‎01-14-2020 12:17 PM

My team is always complainin that splunk is not cim compliance. Most of data sources in splunk such as symantec endpoint and bluecoat logs are not completely cim compliance. They are 80% cim compliance. My question is can splunk ever be 100%cim compliance or am I trying to do something that cant be achieved.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎01-14-2020 02:48 PM

I'm one of the founders of Enterprise Security (which was a big driver in the CIM, which I also helped develop) and I completely agree that CIM compliance in the way that your coworkers are describing is flawed.

Here are some observations:

  1. The main point of CIM compliance is to enable use-cases and help you solve problems. The question ought to be less "what is the rate of CIM compliance?", the question should rather be "what use-cases can I not do as a result of logs that don't match the CIM?". Conversely, you could even have high compliance while missing key use-cases (e.g. "I have 99% compliance but I just so happen to ignore those log messages that say my firewall is failing").
  2. The CIM doesn't have models for every conceivable type of data, it was never meant to cover absolutely everything. This is why the CIM is updated with new models every once in a while.
  3. Some logs are extremely complicated to parse consistently because they include several formats. Consider Unix logs which may have many, many sources and several formats. 100% coverage would be unrealistic.
  4. CIM compliance often follows the Pareto Principle in that the first 80% of the data takes 20% of the effort. The last 20% will likely be as hard if not harder than the first 80%. One needs to consider the real value of that 20% before determining if it is worth spending the time to get them compliant. It likely isn't worth the effort (assuming it can even be done).

View solution in original post

Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎01-14-2020 02:48 PM

I'm one of the founders of Enterprise Security (which was a big driver in the CIM, which I also helped develop) and I completely agree that CIM compliance in the way that your coworkers are describing is flawed.

Here are some observations:

  1. The main point of CIM compliance is to enable use-cases and help you solve problems. The question ought to be less "what is the rate of CIM compliance?", the question should rather be "what use-cases can I not do as a result of logs that don't match the CIM?". Conversely, you could even have high compliance while missing key use-cases (e.g. "I have 99% compliance but I just so happen to ignore those log messages that say my firewall is failing").
  2. The CIM doesn't have models for every conceivable type of data, it was never meant to cover absolutely everything. This is why the CIM is updated with new models every once in a while.
  3. Some logs are extremely complicated to parse consistently because they include several formats. Consider Unix logs which may have many, many sources and several formats. 100% coverage would be unrealistic.
  4. CIM compliance often follows the Pareto Principle in that the first 80% of the data takes 20% of the effort. The last 20% will likely be as hard if not harder than the first 80%. One needs to consider the real value of that 20% before determining if it is worth spending the time to get them compliant. It likely isn't worth the effort (assuming it can even be done).
Reply
Solved! Jump to solution

ujuka
New Member
‎01-15-2020 05:52 AM

Hi Luke,
Thanks for answering the question. Hope this would explain the team to drive the percentage of CIM Compliance with use cases.

Thank You,
Ujuka

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2020 01:40 PM

I doubt you will ever see 100% CIM compliance. That would require every event to contain every CIM field for a given datamodel and that just doesn't happen, IME. I'm not saying it isn't possible, but it's probably impractical. I'd be very happy with 80% compliance, TBH.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...